Surface Secure Boot Certificates
Secure Boot is a security feature in Unified Extensible Firmware Interface (UEFI) based firmware that helps ensure that only trusted software runs during a device's boot (start) sequence. It works by verifying the digital signature of pre-boot software against a set of trusted digital certificates (also known as certificate authority or CA) stored in the device's firmware. As an industry standard, UEFI Secure Boot defines how platform firmware manages the certificates, authenticates firmware, and how the operating system (OS) interfaces with this process.
Windows Secure Boot certificates expiring in 2026
To help keep your Windows device secure, Microsoft is updating the certificates used by Secure Boot—a security feature that helps protect your devices from malware during startup. These certificates, originally issued in 2011, are set to expire starting in June 2026. To stay protected, your device needs to receive a newer set of 2023 Secure Boot certificates before then. For most users, the needed updates will be delivered automatically through Windows Updates with no user action required.
Whether the updates were successfully applied can be verified through the Windows Security App, as described in Secure Boot certificate update status in the Windows Security app. IT professionals in an organization can also verify status for managed devices through a PowerShell detection script.
How does this impact Surface devices?
All Surface devices released in 2024 and later have an updated UEFI Secure Boot Signature Database (DB) that contain the newer 2023 Secure Boot certificates. For earlier Surface devices, if you do not wish to wait for the needed updates to be delivered automatically through Window Update, and those devices already have IT-managed updates there are several deployment methods available:
· Group Policy Objects (GPO) method
Some Surface devices can also deploy these Secure Boot updates through their UEFI, but that requires additional steps and user intervention. The table below shows which devices have these updates ready for manual deployment, but doing so will trigger a BitLocker recovery scenario, so ensure you have your BitLocker recovery key available if you take these steps:
1. Boot into the UEFI firmware settings menu by holding volume-up and power
2. Go to the Security section and under Secure Boot click the “Change Configuration” button
3. Select “Microsoft only” in the drop-down menu and choose OK
4. On the left-hand side of the settings menu, choose the Exit option and then “Restart now”
Regardless of the method used to update Secure Boot certificates, all Surface devices in the table below (and those released in 2024 and later) have updated recovery images available from Microsoft that require these certificates.
| Product Name | Minimum UEFI version with available Secure Boot updates |
|---|---|
| Surface Hub 31 | 6.104.143.0 |
| Surface Go 4 | 8.200.143.0 |
| Surface Laptop Go 3 | 10.200.143.0 |
| Surface Laptop Studio 2 | 16.200.143.0 |
| Surface Laptop 5 | 9.200.143.0 |
| Surface Pro 9 | 12.200.143.0 |
| Surface Pro 9 with 5G | 18.7.235.0 |
| Windows Dev Kit 2023 | 12.6.235.0 |
| Surface Studio 2+ | 20.101.143.0 |
| Surface Laptop Go 2 | 26.102.143.0 |
| Surface Laptop SE | 7.9.139.0 |
| Surface Pro X WiFi | 10.703.140.0 |
| Surface Go 3 | 11.200.143.0 |
| Surface Pro 8 | 23.200.143.0 |
| Surface Laptop Studio | 23.200.143.0 |
| Surface Laptop 4 (Intel) | 23.200.143.0 |
| Surface Laptop 4 (AMD) | 4.200.140.0 |
| Surface Pro 7+ | 23.200.143.0 |
| Surface Pro 7 | 17.200.140.0 |
| Surface Book 3 | 17.200.140.0 |
1Surface Hub 3 recovery images can be used with Hub 2S devices that have been migrated to Windows 11.
Additional options for IT professionals and organizations
The Windows Assessment and Deployment Kit (ADK) added support for the 2023 CA in version 10.1.26100.2454 (December 2024), and new Windows Preinstallation Environment (WinPE) images can be created with the updated certificate. Pre-existing images can be updated following the guidance here: Updating Windows bootable media to use the PCA2023 signed boot manager.